Ok, I've made some progress. I've managed to get MediaWiki authenticating with AD when using clear instead of SSL, so it does appear to be an encryption issue.
My webserver (IIS) should trust my Active Directory SSL Certificate, these get pushed via group policy via out own internal CA. Anyone got any ideas? David On Wed, Feb 2, 2011 at 2:51 PM, David Holder <[email protected]> wrote: > Ok, I've been doing some testing and don't think its an SSL issue > (yet) Although I'm getting a bit confused with the configuration > settings. > > On the Wiki page for "Single Domain Requiring Search Before Binding" > for the Active Directory specific guidelines I've used the code from > there and get the following: > > > 2011-02-02 12:12:44 wikidb: Doing a straight bind > 2011-02-02 12:12:44 wikidb: userdn is: localdomain\someuser > 2011-02-02 12:12:44 wikidb: > 2011-02-02 12:12:44 wikidb: Binding as the user > 2011-02-02 12:12:44 wikidb: Failed to bind as localdomain\someuser > 2011-02-02 12:12:44 wikidb: Entering allowPasswordChange > 2011-02-02 12:12:44 wikidb: Entering modifyUITemplate > > It's not even using the proxy settings. > > However, If I use "Single Domain Requiring Search Before Binding" for > the generic LDAP specific guidelines I get the following: > > 011-02-02 12:14:55 wikidb: Connected successfully > 2011-02-02 12:14:55 wikidb: Entering getSearchString > 2011-02-02 12:14:55 wikidb: Doing a proxy bind > 2011-02-02 12:14:55 wikidb: Failed to bind as (DN of user omitted) > 2011-02-02 12:14:55 wikidb: Failed to bind > 2011-02-02 12:14:55 wikidb: User DN is blank > 2011-02-02 12:14:55 wikidb: Entering allowPasswordChange > 2011-02-02 12:14:55 wikidb: Entering modifyUITemplate > > if I use $wgLDAPSearchStrings (included in the default code for > Microsoft AD "Single Domain Requiring Search Before Binding" it won't > use a proxy server. This may be the expected response from the > configuration, but for a mediawiki newbie like me, it's handy to know > and might be worth mentioning on the wiki article itself. > > David > > On Tue, Feb 1, 2011 at 10:37 PM, David Holder <[email protected]> wrote: >> Hi Ryan, >> >> Well, upon closer inspection of my old plugin the login wasn't >> actually working as expected. I'll have a look at the link you've >> provided and see how I get on >> >> Thanks, >> >> David >> >> On Tue, Feb 1, 2011 at 9:46 PM, Ryan Lane <[email protected]> wrote: >>> Go back to using your original config, it was correctly set up for >>> auto-login. Also, I'm betting that SSL isn't working. It's the most >>> common problem with configuring the plugin: >>> >>> http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Requirements#Windows_Server_2003_and_2008 >>> >>> - Ryan Lane >>> >>> On Tue, Feb 1, 2011 at 3:33 PM, David Holder <[email protected]> wrote: >>>> Hi Ryan, >>>> >>>> Thanks for that, shortly realised afterwards my mistake. >>>> >>>> It seems that my ldap config isn't searching before binding: >>>> >>>> Config: >>>> >>>> require_once ('extensions/LdapAuthentication.php'); >>>> >>>> $wgAuth = new LdapAuthenticationPlugin(); >>>> $wgLDAPDebug = 3; >>>> $wgDebugLogGroups["ldap"] = "C:\NewDebug.log" ; >>>> >>>> $wgLDAPDomainNames = array( >>>> 'localdomain.local' >>>> ); >>>> >>>> $wgLDAPServerNames = array( >>>> 'localdomain.local' => 'DC1.localdomain.local DC2.localdomain.local' >>>> ); >>>> >>>> $wgLDAPSearchStrings = array( >>>> 'localdomain.local' => 'uid=USER-NAME,OU=Users,DC=localdomain,DC=local' >>>> ); >>>> >>>> $wgLDAPEncryptionType = array( >>>> 'localdomain.local' => 'ssl' >>>> ); >>>> >>>> $wgMinimalPasswordLength = 1; >>>> >>>> $wgLDAPProxyAgent = array( >>>> 'localdomain.local' => >>>> 'cn=MediaWikiLDAPSearcher,ou=Users,dc=localdomain,dc=local' >>>> ); >>>> >>>> $wgLDAPProxyAgentPassword = array( >>>> 'localdomain.local' => 'MyLDAPSearcherPassword' >>>> ); >>>> >>>> Debug: >>>> >>>> 2011-02-01 21:11:11 wikidb: Entering validDomain >>>> 2011-02-01 21:11:11 wikidb: User is using a valid domain. >>>> 2011-02-01 21:11:11 wikidb: Setting domain as: localdomain.local >>>> 2011-02-01 21:11:11 wikidb: Entering getCanonicalName >>>> 2011-02-01 21:11:11 wikidb: Username isn't empty. >>>> 2011-02-01 21:11:11 wikidb: Munged username: someuser >>>> 2011-02-01 21:11:11 wikidb: Entering userExists >>>> 2011-02-01 21:11:11 wikidb: >>>> 2011-02-01 21:11:11 wikidb: Entering authenticate >>>> 2011-02-01 21:11:11 wikidb: >>>> 2011-02-01 21:11:11 wikidb: Entering Connect >>>> 2011-02-01 21:11:11 wikidb: Using SSL >>>> 2011-02-01 21:11:11 wikidb: Using servers: >>>> ldaps://DC1.localdomain.local ldaps://DC2.localdomain.local >>>> 2011-02-01 21:11:11 wikidb: Connected successfully >>>> 2011-02-01 21:11:11 wikidb: Entering getSearchString >>>> 2011-02-01 21:11:11 wikidb: Doing a straight bind >>>> 2011-02-01 21:11:11 wikidb: userdn is: >>>> uid=someuser,OU=Users,DC=localdomain,DC=local >>>> 2011-02-01 21:11:11 wikidb: >>>> 2011-02-01 21:11:11 wikidb: Binding as the user >>>> 2011-02-01 21:11:11 wikidb: Failed to bind as >>>> uid=someuser,OU=Users,DC=localdomain,DC=local >>>> 2011-02-01 21:11:11 wikidb: Entering allowPasswordChange >>>> 2011-02-01 21:11:11 wikidb: Entering modifyUITemplate >>>> >>>> On Tue, Feb 1, 2011 at 9:12 PM, Ryan Lane <[email protected]> wrote: >>>>>> $wgLDAPDebug = 3; >>>>>> $wgDebugLogFile = 'C:\LDAPDebug.log'; >>>>>> require_once ('extensions/LdapAuthentication.php'); >>>>>> >>>>>> $wgAuth = new LdapAuthenticationPlugin(); >>>>>> //LDAP Code from "Single Domain Requiring Search Before Binding" >>>>>> Including proxy settings. >>>>>> >>>>> >>>>> Please see: >>>>> http://www.mediawiki.org/wiki/Extension:LDAP_Authentication/Options#Debugging_options >>>>> >>>>> I use a specific log group so that the logs will be separated out: >>>>> >>>>> $wgDebugLogGroups["ldap"] = "C:\LDAPDebug.log"; >>>>> >>>>> Also, place options after the $wgAuth line, not before it. >>>>> >>>>> - Ryan Lane >>>>> >>>>> _______________________________________________ >>>>> MediaWiki-l mailing list >>>>> [email protected] >>>>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l >>>>> >>>> >>>> _______________________________________________ >>>> MediaWiki-l mailing list >>>> [email protected] >>>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l >>>> >>> >>> _______________________________________________ >>> MediaWiki-l mailing list >>> [email protected] >>> https://lists.wikimedia.org/mailman/listinfo/mediawiki-l >>> >> > _______________________________________________ MediaWiki-l mailing list [email protected] https://lists.wikimedia.org/mailman/listinfo/mediawiki-l
